hw/misc/arm_sysctl: Fix bad boundary check on mb clock accesses

Fix incorrect use of sizeof() rather than ARRAY_SIZE() to guard accesses into the mb_clock[] array, which was allowing a malicious guest to overwrite the end of the array. Signed-off-by: N Peter Maydell <peter.maydell@linaro.org> Reviewed-by: N Paolo Bonzini <pbonzini@redhat.com> Reviewed-by: N Andreas Färber <afaerber@suse.de> Message-id: 1392647854-8067-2-git-send-email-peter.maydell@linaro.org Cc: qemu-stable@nongnu.org

hw/misc/arm_sysctl: Fix bad boundary check on mb clock accesses
Fix incorrect use of sizeof() rather than ARRAY_SIZE() to guard accesses into the mb_clock[] array, which was allowing a malicious guest to overwrite the end of the array. Signed-off-by: N Peter Maydell <peter.maydell@linaro.org> Reviewed-by: N Paolo Bonzini <pbonzini@redhat.com> Reviewed-by: N Andreas Färber <afaerber@suse.de> Message-id: 1392647854-8067-2-git-send-email-peter.maydell@linaro.org Cc: qemu-stable@nongnu.org
ec1efab9 · Peter Maydell · d5001cf7 · ec1efab9
隐藏空白更改
内联并排

Showing with 2 addition and 2 deletion

hw/misc/arm_sysctl.c hw/misc/arm_sysctl.c +2 -2

未找到文件。
--- a/hw/misc/arm_sysctl.c
+++ b/hw/misc/arm_sysctl.c
@@ -276,7 +276,7 @@ static bool vexpress_cfgctrl_read(arm_sysctl_state *s, unsigned int dcc,
        }
        break;
    case SYS_CFG_OSC:
-        if (site == SYS_CFG_SITE_MB && device < sizeof(s->mb_clock)) {
+        if (site == SYS_CFG_SITE_MB && device < ARRAY_SIZE(s->mb_clock)) {
            /* motherboard clock */
            *val = s->mb_clock[device];
            return true;
@@ -324,7 +324,7 @@ static bool vexpress_cfgctrl_write(arm_sysctl_state *s, unsigned int dcc,
    switch (function) {
    case SYS_CFG_OSC:
-        if (site == SYS_CFG_SITE_MB && device < sizeof(s->mb_clock)) {
+        if (site == SYS_CFG_SITE_MB && device < ARRAY_SIZE(s->mb_clock)) {
            /* motherboard clock */
            s->mb_clock[device] = val;
            return true;